Bob McDowall, R.D. McDowall Ltd., UK
Yves Samson, Kereon. Switzerland
Dr Franz Schönefeld, GMP Inspector, Germany
- You will learn the current regulatory requirements and regulatory expectations for an audit trail (review)
- All GMP-relevant data (changes and deletions) should be audit trailed – you will learn how to identify GMP-relevant data
- Event and audit logs: you will understand the differences between and what the regulators expect
- How should an audit trail review be performed? You will get familiar with the content and the frequency of an audit trail review
Audit Trail Reviews are required by international regulations like US 21 CFR Part 11 and EU GMP Guide Annex 11. Clause 9 requests:
“Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated “audit trail”). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed”.
Regulators focus on the (creation), modification and deletion of (GMP-relevant) data while many IT systems are not able to generate audit trails at all or they are not able to generate audit trails for GMP-relevant data.
Therefore, this Live Online Training is designed to support you to identify GMP-relevant data and how to perform and document an Audit Trail review as part of a second person review.
This Live Online Training is designed for managers and staff from health care industries as well for auditors who are responsible for the organisation and execution of audit trail (reviews) in their companies.
We use Webex for our live online training courses and webinars. At https://www.gmp-compliance.org/training/online-training-technical-information
you will find all the information you need to participate in our events and you can check if your system meets the necessary requirements to participate. If the installation of browser extensions is not possible due to your rights in the IT system, please contact your IT department. Webex is a standard nowadays and the necessary installation is fast and easy.
Why Is An Audit Trail and Its Review Important?
- Part 11 and Annex 11 / Chapter 4 requirements for audit trail
- Regulatory requirements for audit trail review
- Guidance documents for audit trail review
- Do I really need an audit trail?
Audit Trail vs. System Log
- Audit trail content
- Log files
- What and when should I review?
- Meaningful audit trails for a meaningful review
Case Study / Faciliated Discussion: Which Audit Trail to Review?
Attendees will be presented with an overview of the audit trails within an application and the content of each one. Which audit trails should be reviewed and when?
What are GMP-relevant Data?
Annex 11 requires that audit trails monitor GMP-relevant data – what are GMP-relevant data?
Case Study / Faciliated Discussion: Identifying GMP Relevant Data
Attendees will be presented with a list of records to identify if they are GMP records and how critical they are to help focus the second person review of audit trail data. Examples from production, laboratory and QA examples of GMP relevant data will be provided.
Review of Audit Trail Entries
- Guidance for frequent is “frequent review” of audit trails
- Process versus system: avoiding missing data integrity issues when only focussing on a per system review
- What are we looking for in an audit review?
- Suspected data integrity violation - What do we need to do?
Case Study / Faciliated Discussion: Reviewing Audit Trail Entries
Attendees will be provided with the output of an audit trail to review and see if any potential issues are identified for further investigation.
Technical Controls to Aid Second Person Review of Audit Trails
- Technical considerations for audit trail review e.g.
- Identifying data that has been changed or modified – how the system can help
- Documenting the audit trail review has occurred
- Review by exception – how technical controls can help
- Have you specified and validated these functions?